SSH as a worm vector [LWN.net]

It has been quite some time since a serious Unix/Linux worm has made its way through the Internet. Such worms seem difficult to write, but few people would argue that they are impossible. To many, it is just a matter of time until a Linux-based worm gets loose. This event will slightly reduce the level of smugness in the community, and greatly reduce the credibility of claims that Linux is a more secure system. It is not something to look forward to.

Meanwhile, a crucial security-related component of many systems is SSH, usually in the form of OpenSSH. Even the most severely locked-down systems will often have an SSH port open. So any sort of compromise which involves SSH is seriously frightening. Now, a paper [PDF] written by four MIT researchers (and commented on by Bruce Schneier) describes how SSH could be used as a vector for worm attacks. This threat appears to be real, and deserves attention from anybody responsible for the security of network-attached systems.

SSH maintains a per-user "known hosts" file, where it stores the public keys of remote systems it knows about. This file enables SSH to issue that obnoxious warning whenever a host key changes; its purpose is to help prevent "man in the middle" attacks. It may be possible to redirect an SSH connection via a DNS compromise, but it will not normally be possible to keep SSH from noticing the switch. This is a good thing.

The known hosts file, however, is a handy little database listing all of the systems a given user connects to. If that user's account is compromised, the known hosts file becomes a list of logical systems to attack next. If the user's password is known, chances are good that it will work on at least some of the systems found in the known hosts file. If the user has set up no-password, key-based logins to some of those remote systems, knowledge of the password will not be necessary. The result is that a purely local exploit could use the SSH databases and protocol to automatically propagate itself across the net.

It's worth noting that a worm could be written today using this technique combined with, say, the just-announced core dump vulnerability. Sooner or later, somebody is going to go for it.

The paper's authors are trying to collect more data to generate more metrics on how extensive the "web of known hosts" is; to that end, they are asking people to contribute their known hosts files. See this page for more information. Note that their data collection process involves running a perl script (supplied by them) as root. One assumes that these researchers are trustworthy, but one would be well advised to look over that script carefully before running it anyway. Twice.

The authors also point out that OpenSSH 4.0 includes a defense mechanism in the form of hashed known hosts files. By using a hash rather than the remote system's name, OpenSSH is able to verify remote keys without actually storing a list of remote system names. This behavior must be explicitly turned on, however (by adding a "HashKnownHosts yes" line to the SSH client configuration file) and existing known hosts files must be converted to the new format. A couple of scripts have been provided to help with the conversion process.

The community is lucky to have received advance warning of this issue. Now, however, it is up to us to act on that warning. With some diligence, it may be quite a few more years before we see a serious Linux-based worm.

The LWN site is currently under high scraper load, so comment display has been suppressed for anonymous users. If you are a human, you may read the comments by clicking the button below:

Note: you can avoid this step in the future by logging into your LWN account.